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Abstract 



We use multilinear maps to provide a solution to the long-standing problem of public-key 
broadcast encryption where all parameters in the system are small. In our constructions, 
ciphertext overhead, private key size, and public key size are all poly-logarithmic in the total 
number of users. The systems are fully secure against any number of colluders. All our systems 
are based on an 0(log A)-way multilinear map to support a broadcast system for N users. We 
present three constructions based on different types of multilinear maps and providing different 
security guarantees. Our systems naturally give identity-based broadcast systems with short 
parameters. 

1 Introduction 

Broadcast encryption [FN94] is an important generalization of public-key encryption to the multi- 
user setting. In a broadcast encryption scheme, a broadcaster encrypts a message for a subset S of 
users who are listening on a broadcast channel. The broadcaster can encrypt to any set S of its 
choice, and any user in S can decrypt the broadcast using its secret key. The system is said to be 
fully collusion resistant if even a coalition of all users outside of S learns nothing about the plaintext. 
Broadcast systems are regularly used in TV and radio subscription services where broadcasts are 
encrypted for currently active subscribers. They are also used in encrypted file systems where a file 
is encrypted so that only users who have access to the file can decrypt it. 

The efficiency of a broadcast system is measured in the ciphertext overhead: the number of bits 
in the ciphertext beyond what is needed for the description of the recipient set S and the symmetric 
encryption of the plaintext payload. The shorter the overhead, the better. We say that the system 
has low overhead if the ciphertext overhead depends at most logarithmically on the number of 
users N in the system. 

Existing constructions with low ciphertext overhead. Several broadcast systems are fully 
collusion resistant with low ciphertext overhead. The first such system by Boneh, Gentry, and 
Waters [BGW05] is built from bilinear maps. It has constant ciphertext overhead and short secret 
keys, but the public encryption key size is linear in the number of users N. Other systems using 
bilinear-maps achieve adaptive security [GW09, DPP07] and some are even identity-based [GW09, 
Del07, SF07], but the public encryption key is always large. 



1 



Multilinear maps give secret-key broadcast systems with optimal ciphertext overhead [BS03, 
GGH13a, FHPS13, CLT13, BW13]. However, in these systems the broadcaster's key must be kept 
secret, and they require an iV-way multilinear map to support N users. Current constructions 
of iV-linear maps [GGH13a, CLT13] have group elements of size 0(N 2 ) bits, resulting in large 
space requirements. While these broadcast systems can be made public-key by including a few 
group elements in the ciphertext, their dependence on A-linear maps leads to an 0(N 2 ) ciphertext 
overhead, which is worse than the trivial broadcast system. Until this work, it has not been known 
how to use multilinear maps to construct low overhead broadcast systems with a short public 
encryption key. 

A third class of constructions employs the powerful candidates for indistinguishability obfus- 
cation (iO) [BGI + 01, GGH + 13b]. Using iO it is possible to build a public-key broadcast system 
with optimal ciphertext overhead, short private keys, and a short public key [BZ13]. The resulting 
systems have several other remarkable properties. However, current iO candidates add considerable 
complexity on top of multilinear maps. Our goal here is to construct broadcast systems using only 
simple assumptions on multilinear maps, namely, without relying on iO. 

Our results. We describe three broadcast systems for N users that use an 0(logiV)-way multi- 
linear map. The systems have ciphertext overhead and decryption key of only O(l) group elements 
which is 0(log 2 N) bits using the current multilinear map candidates. The public encryption key 
contains O(logiV) group elements which is 0(log 3 N) bits. The first system uses an asymmetric 
multilinear map and follows the [BGW05] construction closely. It uses the 0(log iV)-way multilinear 
map to compress the public key of that system from O(N) group elements to 0(log N) elements 
while keeping the ciphertext overhead and secret key short. We prove static security under a 
multivariate equivalent of the [BGW05] assumption. 

The second system uses a general symmetric 0(log iV)-way multilinear map to similarly compress 
the public key in [BGW05]. The added flexibility of a symmetric map has both positive and 
negative consequences. On the negative side, this flexibility allows the adversary to combine extra 
elements together. To maintain security we must ensure that all user indexes u £ [N] are mapped 
to integers u G [0(N log N)] where all u have the same Hamming weight. This mapping does not 
affect ciphertext or private key size. On the positive side, this flexibility allows us to obtain slightly 
better parameters and base security on a slightly simpler, though similar, complexity assumption. 

The third system is built from a symmetric 0(logiV)-way map, but we can prove adaptive 
security of the scheme in generic multilinear groups. This system has secret keys of length 0(log 3 N) 
bits, which is longer than the previous two schemes, but has a tighter security proof in generic 
groups. 

Because the parameters of these systems are logarithmic in N, we can let N be exponential, 
and in particular be as large as the range of a collision resistant hash function (e.g., N = 2 256 ). 
This, in effect, turns all our broadcast systems into efficient identity-based schemes. A user with 
identity id £ {0, 1}* is given the secret key associated with index number H(\d) G [N] where H is a 
collision resistant hash whose range is [N] . A broadcaster can then transmit to a set of recipients 
simply by hashing their public identities. For this reason, we describe all our broadcast systems as 
identity-based broadcast schemes. 

Additional related work. Collusion resistant broadcast encryption has been widely studied. 
Revocation systems (e.g., [NNL01, HS02, GST04, DF02, LSW10]) can encrypt to N - r users 
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with ciphertext size of 0{r). Further combinatorial solutions (e.g., [NPOO, DF03]) achieve similar 
parameters. A broadcast encryption system is said to be recipient-private if broadcast ciphertexts 
reveal nothing about the intended set of recipients [BBW06, LPQ12, FP12]. Our broadcast 
systems are not recipient private, and it is a long-standing open problem to build a low-overhead 
recipient-private broadcast system. Such a system was recently built using indistinguishability 
obfuscation [BZ13], but constructing such systems under weaker assumptions remains open. 

2 Preliminaries 

2.1 Broadcast Encryption 

We begin by defining broadcast encryption. A (public key) identity-based broadcast encryption 
scheme consists of three randomized algorithms: 

Setup(XP): Sets up a broadcast scheme for identity space XV. It outputs public parameters params 

as well as a master secret key msk 
KeyGen(msk, u): Takes the master secret key and a user u G XV and outputs a secret key sk u for 

user u. 

Enc(params, S): The encryption algorithm takes the public parameters and a polynomial sized set 
S C XV of recipients, and produces a pair (Hdr, K). We refer to Hdr as the header, and K as 
the message encryption key. 

The message is encrypted using a symmetric encryption scheme with the key K to obtain a 
ciphertext c. The overall ciphertext is (Hdr, c). 
Dec(para ms, u,sk u , S, Hdr): The decryption algorithm takes the header Hdr and the secret key for 
user u, and if u G S, outputs the message encryption key K . If u $ S, the decryption algorithm 
outputs JL. 

To actually decrypt the overall ciphertext (Hdr, c), user u runs Dec to obtain K, and then 
decryption c using K to obtain the message. 

For correctness, we require that the decryption algorithm always succeeds when it is sup- 
posed to. That is, for every (params, msk) output by Setup(XD), every set S C IV, every 
sk u output by KeyGen(msk, u), and (Hdr, if) outputted by Enc(params, S) where u G 5, that 
Dec(params, u, sk u , S, Hdr) = K. 

For security, several notions of security are possible. We start by defining active chosen ciphertext 
security. For any adversary A, let EXP(6) denote the following experiment on A: 

Setup: The challenger runs (params, msk) <— Setup(XD), and gives A the public key params. 

Secret Key Queries: A may adaptively make secret key queries for users u ^ S* . In response, 
the challenger runs sk u <— KeyGen(msk, u) and gives sk u to A. 

CCA Queries: A may make chosen ciphertext queries on tuples (u, S, Hdr). The challenger 
responds with Dec(params, u, sk u , S, Hdr) where sk u <(— KeyGen(msk, u) 1 . 

1 Another variation is to have the challenger maintain a table of (u, sk u ) pairs, and only run KeyGen once for a 
particular user, using a single sk„ to answer multiple secret key and CCA queries. Note that the correctness of a 
broadcast scheme implies that this does not affect CCA queries. 
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Challenge: A submits a set S* C XD, subject to the restriction that u ^ S* for any user u 
requested in a secret key query. The challenger lets (Hdr*,^) <— Enc(params, S*). If b = 0, 
the challenger gives (Hdr*, Kq) to the adversary. If b = 1, the challenger computes a random 
key K\ and gives (Hdr*, if*) to the adversary. 

More Secret Key Queries: A may continue making secret key queries for users u ^ S* 

More CCA Queries: A may continue making CCA queries on headers Hdr ^ Hdr* 2 . 

Guess: A produces a guess b' for b. 

Using a simple hybrid argument, we can assume the adversary makes only a single challenge query. 
Let Wf, be the event that A outputs 1 in EXP(6). We define the adaptive CCA advantage of A, as 

BE (adv)^ = |p r [w 0 ] -Pr[Wi]| 

Definition 2.1. A broadcast encryption scheme is adaptively secure under a chosen ciphertext 
attack (adaptively CCA-secure) if, for all polynomial time adversaries A, BE( a< ^ v )_4 is negligible. 

We will also consider several weaker notions of security. For example, we get static security if 
we require A to commit to the challenge set S* before seeing the public parameters. We also get 
CPA security if we do not allow chosen ciphertext queries. In this paper, we will be focusing on the 
following notion of static CPA security, but will also discuss the other variants: 

Definition 2.2. A broadcast encryption scheme is statically secure under a chosen plaintext attack 
(statically CPA-secure) if, for all polynomial time adversaries A that must commit to S* before 
seeing the public parameters and cannot make CCA queries, BE( ac ^ v )_4 is negligible. 

2.2 Multilinear Maps 

We now review multilinear maps. A multilinear map consists of two algorithms: 

Setup(n): Sets up an n-linear map. It outputs n groups Gi, . . . , G n of prime order p, along with 
generators gi £ Gj. We call Gi the source group, G n the target group, and G2, . . . ,G n _i 
intermediate groups. 

eij(g, h): Takes in two elements g G Gj and h £ Gj with i + j < n, and outputs an element of Gj+j 
such that 

We often omit the subscripts and just write e. We can also generalize e to multiple inputs as 
e(/t« . . . , h^) = e{h^\e{h^ 2 \ . . . , h<®)). 

We sometimes call as a level-i encoding of a. The scalar a itself could be referred to as a 
level-0 encoding of a. Then the map e combines a level i encoding and a level j encoding, and 
produces a level i + j encoding of the product. 

We will make use of asymmetric multilinear maps. In such maps, groups are indexed by integer 
vectors rather than integers. The pairing operations maps G Vl x G V2 into G Vl + V2 - More precisely, 
we have the following algorithms: 

2 Another potentially stronger variation is to require (S, Hdr) 7^ (5", Hdr*) 
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Setup(n) Sets up an n- linear map, where n 6 is some positive integer vector. It outputs a 
description of groups G v of prime order p where v are non-negative integer vectors and v < n 
(that is, the comparison must hold component- wise) . It also outputs a description of generators 
g v £ G v 3 . Let e« be the zth standard basis vector, with a 1 at position i and a 0 elsewhere. 
We call G ei the ith source group, G n the target group, and the rest of the G v groups are 
intermediate groups. 

e Vl ,v 2 (s') h) Takes in two elements g E G Vl and h S G V2 with vi + V2 < n, and outputs an element 
of G Vl + V2 such that 

evi,v2(5vi'5 f v 2 ) = 5vi+v 2 

We often omit the subscripts and just write e. We can also generalize e to multiple inputs as 
e(7t«, . . . , fc(*>) = e{h^,e{h^\ h^)). 

We note that there are some potential difficulties in implementing schemes based on multilinear 
maps using actual constructions of graded encodings [GGH13a, CLT13]. First, the representations 
of the group elements are not unique. This presents two potential problems: 

• The representation of a group element may leak the multiplication/pairing operations that 
led to that group element. This is fixed by introducing a re- randomization procedure after 
multiplying or pairing, which causes the distribution of representations to be statistically 
independent of the multiplication and pairing operations that led to that element. 

• Even if multiple parties hold the same group element, they may have different representations. 
This is fixed by introducing an extraction procedure which operates on elements of the target 
group G n and extracts a canonical representation of those elements. While the extraction 
procedure only works on elements of the target group, this will be sufficient for our purposes. 

Other difficulties with existing constructions are the following: 

• There is a noise term that grows with the number of multiplication and pairing operations - 
if the noise term grows too large, then the extraction procedure fails. 

• Users cannot directly perform exponentiation. Instead, users must create a "level-0" encoding 
of an element, and then perform exponentiation by pairing with the level-0 encoding. However, 
users cannot create a level-0 encoding of an element of their choice. Instead, they can compute 
a level-0 encoding of a random (unknown) element. We note that whoever sets up the 
multilinear map can perform direct exponentiation. This will be crucial for our schemes. 

3 Our Asymmetric Multilinear Map Construction 

In this section, we give our first construction of identity-based broadcast encryption from multilinear 
maps. Our construction is closely related to the scheme of Boneh, Gentry, and Waters [BGW05] , 
henceforth referred to as the BGW scheme. Recall in their scheme, the public parameters consist 
of 0{N) source group elements (where ./V is the number of users), secret keys and headers are a 

3 There may be an exponential number of groups and generators. The setup algorithm outputs a set of parameters 
from which the groups G v and generators g v can be derived. In particular, each g v can be derived from the pairing 
operation and {g ei }, where is the ith standard basis vector 
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constant number of source group elements, and the message encryption key is a group element in the 
target group. Our goal is to shrink the public key size to 0(log N) group elements. We accomplish 
this by embedding the BGW scheme in a multilinear map, where the BGW parameters lie in an 
intermediate group. The BGW public parameters can then be derived from a small number of 
elements in the source group of the map — these few source group elements are the new public key. 

In more detail, the significant component of the BGW public key are the elements Z\ = gf , Zi = 
gf 2 , . . . , Zn = gf N , Zn+2 = gf N+2 , • • • , Z2N = gf 2N ■ The rest of the BGW public keys, secret keys, 
and header components are also element in Gi, whereas the message encryption key is an element 
in the group G2. 

n+l Is 

Let N = 2 n — 1 for some integer n, and let n = (1, . . . , 1) be the vector of n + 1 Is. Our idea is 
to use an asymmetric multilinear map, where the target group is G2 n - We note that pairing two 
elements in G n gives an element in G2 n - Thus, while the entire multilinear map is asymmetric, 
the pairing operation acts symmetrically on the group G n . Now we replace the groups Gi and G2 
in the BGW scheme with G n and G2 n - Thus Z u = g^ . Rather than explicitly include the Z u in 
the public parameters, we give a few group elements in the groups G ei where are the standard 

basis vectors. Specifically, we provide the parameters Xi = g®. for i = 0, . . . , n — 1. By pairing 
various subsets of these Xi together, we can build all of the Z u for u < 2 n — 1 = N. In particular, if 
u = J2i=Q Ui2 l is the binary representation of u, then 

Z u = e(Xo 0 , X^ 1 , . . . , X™"-] 1 , g en ) 

where we take X® to be g ei and X\ = Xj. 

To allow computation of Z u for u > 2 n + 1 = N + 2, we might decide to publish g£ n ■ However, 
this would allow computation of Z^+i, which will break the security of the BGW scheme. Therefore, 

9 n 1-1 

we instead publish X n = g% n . Then, for u G [N + 2, 2N] , let u' = u - (2 n + 1) = ^=0 u'fl 1 . Then 
we can write ; / , 

Z u = e(X 0 °, X 1 1 , . . . , X n ) 

Now we make the observation that O(logiV) graded encodings remain efficient even up to 
exponential N. Therefore, we can actually make our scheme identity-based, where identities are 
bit strings of length n with the caveat that the 0 n is not a valid identity. Now we give our entire 
construction: 

Construction 3.1. Let Setup' be the setup algorithm for a multilinear map, where groups have 
order p. Our first identity-based broadcast scheme consists of the following algorithms: 

Setup(n): Takes as input the length n of identities. Let XV = {0, l} n \ {0 ra } be the identity space. 
Let n be the all-ones vector of length n + l. Run Setup' on 2n, obtaining the public parameters 
params' for a multilinear map with target group G2 n - 

2 1 2 ri + l 

Choose a random a£Z p and let Xi = g^. for i = 0, . . . , n — 1 and let X n = g% . Also 
choose a random 7 G Z p and let Y = gZ- Lastly, let W = g% n ■ The public key is 

params = (params', W, {Xi} ie{0 ^ jTl} , Y) 
The master secret key is (a, 7). 
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KeyGen(params, a, 7, u): The secret key for identity u € [1, 2 n — 1] is sk u = gZ ■ 

Enc(params, S): Recall that we can compute Zj for j £ [l,2 n — 1] from the public parameters 
{-i 5 Q}ie{o,...,n-i}- Pick a random ( £ Z p and compute the key and header as 

K = W t = g$f and Hdr = , (Y • ]J Z^^j = , g^^^ 

Dec(params, u, sk u , S, Hdr): Ifu^S, output _L. Otherwise, write Hdr as {C$,C\). Recall that we 
can compute Zj for j £ [2 n + 1, 2 n+1 ]. Output 

K = e(Z u , Ci) 

e ((sk u + J2j£S,j^u z 2"-j+u) , C 0 ) 
If Cq and C\ are as above, then we can write K = g% n where 

c=a«t ( 7 + E « 2 "^' ) " ( 7« n + E « 2 "- J+ M * 
Most of the terms cancel, leaving c = to 2 " as desired. 



Implementation details. As mentioned in Section 2, there are some potential issues with 
implementing our scheme using current multilinear map constructions [GGH13a, CLT13]. First, 
during normal operations, computing gf for a random a involves computing a "level-0" encoding of a 
random (unknown) a, and then pairing with g\. In order to compute gf , we would pair g\ with the 
level-0 encoding twice. However, the noise growth with repeated pairing operations would prevent 

us from computing gf for sufficiently high powers of i. Instead, the setup algorithm must choose 
an explicit (known) a G Z p , compute the various a 2 ', encode these powers as level-0 encodings, 
and only then pair with g\. This requires knowing the secrets used to set up the multilinear map, 
meaning the broadcaster must set up the map himself and cannot rely on maps generated by trusted 
parties. 

To make sure the header does not leak any important information, we also need to re-randomize 
the header components. This means re-randomization parameters need to be included for the group 
G n . No other re-randomization parameters are necessary. 

Before discussing security, we must discuss our new security assumption, which is closely related 
to the bilinear Diffe-Hellman Exponent assumption (BDHE) as used in BGW. 

3.1 The Hybrid Diffie-Hellman Exponent Assumption (HDHE) Assumption 

We define the (computational) n-Hybrid Diffie-Hellman Exponent problem as follows: Let params' <(— 
Setup' (2n) where n is the all-ones vector of length n + 1. Choose a S Z p at random, and let 

Xi = g® 2 for i = 0, . . . , n — 1 and X n = g^ 2 +1 . Choose a random t 6 Z p and let V = g^. Given 

({^i}ie{o,...,n-i}> V), the goal is to compute K = gt^ . 

We now define the decisional n-Hybrid Diffie-Hellman Expoent problem as, given the tuple 
({Xi} i& { 0 ^ n _iy,V, K) where K is either g^ or a random element of G2n, to distinguish the two 
cases. 
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Definition 3.2. We say the decisional n-Hybrid Diffie-Hellman Exponent assumption holds for 
Setup' if, for any polynomial n and probabilistic polynomial time algorithm A, A has negligible 
advantage in solving the n-Hybrid Difhe-Hellman Exponent problem. 

Given the Xi for i = 0, . . . , n — 1, it is straightforward to compute g n for any j £ [0, 2 n — 1]. 
Moreover, including X n , it is straightforward to extend this to j £ [2 n + l, 2 n+ ]. However, computing 

K = g^ v from the Xi and V appears difficult. The reason is that we only have one term that 
depends on t, namely V. So to compute K, we would need to pair V with some combination of the 
Xi. In other words, we need to be able to compute g^ from the Xi. However, since n has a one 
in each component, we can never pair any of the Xi with itself. This means we can only compute 
products of terms of the form e(XQ° , Xf 1 , . . . ,X^ n ) for Sj G {0, 1}, where we take Xf = g ei . Notice 
that we can never include an X n , since then we would already exceed the desired degree of 2 n . Put 
another way, we can only compute products of terms of the form 



>- 2 

-lies' 

gn 



where S C [0, n — 1]. However, H ieS a 2 ' = cX<^s 2 \ and J2i^s^ < 2 ™ for a11 subsets 5C [0, n - 1]. 
This is the basis for our assumption that the n-HDHE assumption is hard. In Appendix B, we 
discuss the difficulty of our assumption in the generic multilinear map model. 

3.2 Security Of Our Construction 

With our assumption defined, we can now state and prove the security of our scheme: 

Theorem 3.3. Let Setup' be the setup algorithm for a multilinear map, and suppose that the 
decisional n-Hybrid Diffie-Hellman Exponent assumption holds for Setup'. Then the scheme in 
Construction 3.1 is a statically secure identity-based broadcast encryption scheme. 

Proof. Our proof closely follows the proof of security for the BGW scheme [BGW05]. Suppose we 
have an adversary A that breaks the security of the scheme. We use A to build an adversary B that 
breaks the decisional n-HDHE problem for Setup'. B works as follows: 

• B obtains a challenge tuple (params', {Xi}ie[o,n]> ^ K) where: 

— params' <— Setup'(2n) where n is the all-ones vector of length n + 1. 

— Xi = <7g. for i = 0, . . . , n — 1 for a random a £ Z p . 

2 n + l 

— *n = gf n 

— V = g n for a random t £TL p 

— K = or is a random group element in G2 n - 

• B simulates A until A submits a subset SC [1,2™ — 1] of users that A will challenge. 



B chooses a random r G Z p . It sets 



Y - 9 " 
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where the Zj are calculated from the X% as before. This amounts to setting 



l = r- 



Since r is uniform in 7L V and independent of a, so is 7. B also computes 

W = e(g eo ,g ei ,. . . ,g en _ 2 ,X n - X ,g en ) 

and 

W = e(W, W) 

Observe that W = g^ n • 

B gives A the public parameters (W, {-Xi}ie[o.n] > Y) 

Now A is allowed to ask for private keys for users u £ S. B computes 

sk Zl 



Observe that 

5K n — yn — yn — y n 

as desired. 

• When .A asks for the challenge, B lets Hdr = (V, V r ) and responds with (Hdr,X). Observe 
that 

which means (V, V r ) is a valid header for the set S. Also observe that if K = , then K is 
the correct key for this header. 

• When A returns a guess b for which K it is given, B returns b as its guess. 

As shown above, B perfectly simulates the view of A in the broadcast encryption security game. 
Therefore, B has the same advantage as A, which must therefore be negligible, as desired. 

□ 

4 Our Symmetric Multilinear Map Construction 

In this section, we give our second construction of broadcast encryption, this time from traditional 
symmetric multilinear maps. That is, we do not require the more complicated asymmetric structure 
of Construction 3.1, but can use a basic multilinear map. The idea, however, is very similar. We 
implement BGW [BGW05] in middle levels of the multilinear map, and use elements in the bottom 
level to generate the BGW public parameters. Similar to the graded encoding scheme, the BGW 
parameters will have the form Z u = g" u , which can be computed from the public parameters 

X l = gf . 
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However, we run into a problem. With asymmetric maps, we could enforce that Xi could not 
be paired itself. This was used to ensure that Z 2 « was not computable given Xi for i = 0, . . . , n. 
However, in the symmetric multilinear map setting, X n -\ could be paired with itself, giving Z 2 n. 
Instead, we create a hole by limiting the total number of Xi that can be paired together. If we 
allow only n — 1 of them to be paired together, the first hole occurs at Z 2 n_\. We therefore set 
N = 2 n - 2 so that the hole is at N + 1 as in BGW. 

Notice that a second hole occurs at Z 2 n +2 n-i_ 1 , and since 2™ + 2 n_1 — 1 < 2(2™ — 2) = 2N, we 
can not yet compute all the Z u needed by BGW. One possible fix is to include extra Xi that can be 
used to fill in the unwanted holes. Instead, we opt to restrict the bit representations of all identities 
in the system to having the same Hamming weight. We show that this allows the computation of 
all the necessary Z u . 

We now describe our scheme: 

Construction 4.1. Let Setup' be the setup algorithm for a multilinear map, where groups have 
order p. Our second identity-based broadcast scheme consists of the following algorithms: 

Setup(n,£) Sets up a broadcast scheme for n-bit identities with Hamming weight i. Run Setup' on 
n + 1 — 1, obtaining the public parameters params' for a multilinear map with target group 

2 n — 1 2^ 

G n+ £-\. Let a, 7 G Z p be chosen at random. Let W = g" +£ _ 1 . Compute Xi = gf for 
i = 0, . . . , n. Lastly, let Y = g^-i- Output 

params = (params', W, {Xi} ie [ 0 ^,Y) 
KeyGen(params, a, 7, u) The secret key for an identity u G {0, 1}™ of Hamming weight I is 



Enc(params, S) Let Zj = g^-i- We will show shortly that we can compute all of the necessary Zj 
from the Xi. Pick a random t £ Z p and compute the key and header as 

K = W t = and Hdr = (g\ , (Y J[ Z 2 ^ u )^j = [g\ , gT-t^ 8 ^^) 



Dec(params, u, sk u , S, Hdr) Ifu^S, output _L. Otherwise, write Hdr = (Co, Ci). Also let Z' u = gf" 
We will shortly show that Z' u can be computed from the Xi. Compute 



e(sk u • HjeSj^u z 2"-i-j+u , C 0 ) 
If Co, C\ are as above, notice that we can write K = g^ l+e _ 1 where 

c = a u t(7 + E« 2 ^ W )-(7« U + E a 2n - 1 -i +u )t = ta 2n - 1 

as desired. 

We need to show how to compute Zj and Z'y 
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Claim 4.2. Let Zj = g^-i and Zj = gf . Let Xi = gf 2 for i = 0, . . . ,n. Then, using group 
multiplications and paring operations on the Xi, it is possible to compute: 

• Zj for j € [1, 2™ - 2] of weight exactly £. 

• Zi-n_x-j for j £ [1,2™ — 2] of weight exactly £. 

• ^2 n -i-j+M for j, u £ [1, 2" — 2],j 7^ u of weight exactly £. 

Proof. Let h(j) denote the Hamming weight of j. First, observe that we can easily compute g^s 
for j 6 [2 n — 1] by paring together Xi where the ith bit of j is 1. This allows us to compute the Z'y 

We can also compute g^-e fc> r any j of weight exactly £. Thus, we can pair with gi_\ to get 

Z 2 n-i-j. 

Now we show how to compute Z 2 ™-i_j+ M . 2™ — 1 — j, written as a bit string, has Hamming 
weight n — i. Therefore, write 2™ — 1 — j = J2i^T ^ f° r some subset T C [0, n — 1] of size n — L 
Similarly, write u = J2ieu ^ f° r some subset U C [0, n — 1] of size i. Notice that U and T are only 
disjoint if 2 n — 1 — j + n = 2™ — 1, in which case j = u. Since we do not allow this case, there must 
be some i G [0, n — 1] inside £7 and T. Then we can write 

2 n -l -j + u= J2 2 *+ H 2 i + 2 i+1 

•ieT\{i} -ie?7\{?} 

which is the sum of n + £ — 1 powers of two. This means we can write 

Z 2 n- 1 - j+u = e ({Xi} ieT \ {}} , {X{\ ieU \ { - } , X i+1 ^j 
which is the pairing of n + £ — 1 of the Xi, as desired. □ 



Setting n and £ Suppose we want to handle A-bit identities. We would map those identities to 
bit strings of length n and weight £. Therefore, we need 



A > log 2 



A simple solution which minimizes n (and hence the number of elements in the public parameters) is 
to set n = A + r(log 2 A)/2] + 1 and £ = [n/2\ . However, for existing multilinear map constructions, 
the multilinearity itself is expensive, so we might try to minimize the total multilinearity n + £ — 1. 
When £ = [n/2\ , the total multilinear is roughly 1.5(A+ (log 2 A)/2). However, setting n w 1.042(A + 
(log 2 A)/2) and £ = 0.398(A + (log A)/2) gives us roughly 2 A identities with total multilinearity about 
1.440(A + (log A)/2), slightly beating the trivial construction. The following table gives the settings 
of n and £ which minimize the total multilinearity for common identity lengths: 



Length of identities (A) 


n 


£ 


Total Multilinearity (n + £-l) 


128 


138 


52 


189 


160 


175 


62 


236 


256 


272 


103 


374 


512 


545 


200 


744 
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Implementation As with Construction 3.1, we must take advantage of the secrets used to 
construct the multilinear map to compute the Xi. We also need to re-randomize the header 
components. This time, however, there are two groups that need re-randomization terms: and 
G n _i. No other re-randomization parameters are necessary. 

4.1 The Multilinear Diffie-Hellman Exponent Assumption 

We define the computational (n, ^-multilinear Diffie-Hellman Exponent ((n, ^)-MDHE) Problem as 
follows: Let params <— Setup'(ra-|-^ — 1). Choose random a, i E 7* p , and let Xi = gf for i = 0, . . . , n. 

2 n — 1 

Let V = g\. Given ({Xi} i€ [ 0n ^ V), the goal is to compute K = . 

As before, we define the decisional version as the problem of distinguishing K from a random 
element in G n+ n-\. 

Definition 4.3. We say the decisional (n, £)-multilinear Diffie-Hellman Exponent assumption holds 
for Setup' if, for any polynomial n and probabilistic polynomial time algorithm A, A has negligible 
advantage in solving the (n, ^-multilinear Diffie-Hellman Exponent problem. 

This problem appears difficult for the same reasons as the n-HDHE assumption from Section 3. 
Computing K = g t ^ x +i _ 1 requires pairing V = g\ with a term g^-\ ■> which must in turn be 
computed from the Xi. However, there is no way to pair at most n — 1 of the Xi to create the 
desired exponent 2 n — 1. In Appendix B, we discuss the difficulty of the (n,£)-MDHE problem in 
the generic multilinear map model. 

4.2 Security of Our Construction 

With our assumption defined, we can now state the security of our scheme: 

Theorem 4.4. Let Setup' be the setup algorithm for a multilinear, and suppose that the deci- 
sional (n, £) -multilinear Diffie-Hellman Exponent assumption holds for Setup'. Then the scheme in 
Construction 4-1 is a secure identity-based broadcast encryption scheme. 

Proof. Again, our proof follows BGW [BGW05] . Suppose we have an adversary A that breaks 
the security of the scheme. We use A to build an adversary B that breaks the decisional MDHE 
problem for Setup'. B works as follows: 

• B obtains a challenge tuple (params', {Aj}j e j 0 ,n+i]; V, K) where: 

— params' <— Setup'(n + 1 — 1) 

— Xi = gf for i = 0, . . . , n for a random a £ Z p 

— V = g\ for a random t E Z p 

2 n — 1 

— K = g^i^i or K is a random element in G n+ £_i. 

• B simulates A until A submits a subset SC. [1, 2 n — 2] of users that all have Hamming weight 
t. 
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• B chooses a random r £ Z p . It sets 

ues 

where the Zj are calculated from the Xi as before. This amounts to setting 

7 = r -J2ueSa 2n - 1 - u 
Since r is uniform in Z p and independent of a, so is 7. £> computes 

W = e(X 0 ,Xi, . . . ,X„_i,^_i) 

Observe that = 5^+7-1- 

• ,6 gives a the public parameters (W, {^i}i6[o,n+i] > ^0 

• Now *4 is allowed to ask for private keys for users u S of Hamming weight ,8 computes 

sk u = Z r u f ]Q ^2"-i-j+« 

Observe that 

5K m — ffn-l — — J/n-1 

as desired. 

• When .4 asks for the challenge, B lets Hdr = (V, e(V, g n -i-e) r ) and responds with (Hdr,K). 
Observe that 

p(Vn y_ n rt _ 

2 n — 1 

which means (V, e(V, <7 n -i-£) r ) is a valid header for the set S. Also, observe that if K = g t r ^ +i _ 1 , 
then K is the correct key for this header. 

• When A returns a guess b for which K it is given, B returns b as its guess. 

As shown above, B perfectly simulates the view of A in the broadcast encryption security game. 
Therefore, B has the same advantage as A, which must therefore be negligible, as desired. □ 

5 Our Third Construction 

In this section, we give our third and final broadcast scheme. This scheme is based on the basic 
broadcast scheme of Gentry and Waters [GW09], henceforth called the GW scheme. Like the BGW 
scheme, the GW scheme has public keys consisting of O(N) elements, where A?" is the number of 
users. Our idea is to, similar to Constructions 3.1 and 4.1, run the GW scheme in the higher levels 
of a multilinear map, and derive the public key elements from 0(log N) low-level elements. 

However, unlike the BGW public parameters, which are all derived from a single scalar a G Z p , 
each of the GW public key elements are derived from a separate random scalar. Therefore, we 
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cannot possibly hope to simulate the GW public key elements exactly. Instead, we we generate 
them using a Naor-Reingold-style PRF [NR97] . 

Also, unlike the BGW scheme, the secret keys in the GW scheme have O(N) group elements. 
To make our scheme more efficient, and more importantly to make our scheme identity-based, we 
need to shrink the secret keys to 0(log N) elements. To accomplish this, we observe that the secret 
key components are actually some of the outputs of another Naor-Reingold-style PRF, and we can 
allow the secret key holder to compute just those outputs by puncturing the PRF, similar to Boneh 
and Waters [BW13]. 

We now present out scheme: 

Construction 5.1. Let Setup' be the setup algorithm for a multilinear map, where groups have 
order p. Our final identity-based broadcast scheme consists of the following algorithms: 

Setup(n) Takes as input the length n of identities. Run the setup algorithm for a multilinear map, 
Setup', to construct an n + 1-linear map with parameters params'. Draw a random a £ 7L V . For 
i = 0, . . . , n — 1 and 6 = 0,1, draw random (3^ £ Z p . The public key is 

pk = (params', {X i:b = 5? 1,6 ;ke[o,n-i],&e{o,i}> W = < +1 ) 
For any user u £ {0, l} n , note that we can compute 

KeyGen(params, a, u) Pick a random r u £ Z p . Let 

Ut } = rf" 

= X^_ u% = g^- 1 ^ fori = l,...,n 

rr( u ) _ n a yr^ _ n a + r ^U"=i 
U n+1 — dn^u — 9n 

The secret key for user u is sk u = {^ U ^}ie[o,n+i] • 

Observe that for v / u, we can compute by finding an i* where v i* = 1 — u%*, and computing 

e^-Al.Di) . . . ,^L l *_i j „.*_ 1 , Up , . . . ,Ji. n ,v n ) — 9n — 9n ~ L w 

Enc(params, S) Choose a random i £ Z p and compute the key and header as 

K = W t = gi% and Hdr = (g\ , ( JJ zS ) = U , g^sTYL^ 




where Z u are computed as above. 

Dec(params,u,sk u ,5, Hdr) If u ^ S, output _L. Otherwise, write Hdr = (Co, C\). Compute 

^ etfrn^^, Co) 

Observe that if (Cq,C\) are as above, we can write k as g^+i where 

c=(a + r u J]A, Ui + r ul[f3i,v l )-t-r u -(tJ2Y[^) = at 

veS,v/u veS 

as desired. 

Correctness follows from the comments above. 
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Differences from G W. In the Gentry and Waters scheme [GW09] , the Z u are generated inde- 
pendently and given explicitly in the public parameters (as elements of the source group Gi). In 
our scheme, the Z u are generated pseudorandomly by means of a Naor-Reingold PRF. Similarly, in 
the GW scheme, the for v/u are also given explicitly to user u. In our scheme, we note that 
the for fixed u actually form another Naor-Reignold PRF, which we puncture at the point u to 
allow user u to compute the necessary values without learning Z^ 1 . Our puncturing follows the 
puncturing used by Boneh and Waters [BW13]. 



Comparison to Constructions 3.1 and 4.1. Construction 5.1 has a couple advantages and 
disadvantages over our previous schemes: 

• Unlike the BGW-based schemes, there are no high-degree terms being generated. This means 
we do not need the secret parameters for the multilinear map to set up our scheme. Therefore, 
we can use a map from some trusted third party. We do, however, need to make sure re- 
randomization parameters are available in the groups Gi and G n to re-randomize the header 
elements. If we are using a map that we did not set up, we also need to re-randomize the user 
secret keys. 

• To handle identities of length A, the total multilinearity of Construction 5.1 is A + 1. Compare 
this to 2A and 1.440(A + (log 2 A)/2) from the previous constructions. 

• On the negative side, secret keys in Construction 5.1 consist of O(logiV) group elements, 
compared to the single element secret keys of the previous schemes. 

• For security, we unfortunately are unable to prove security relative to a non-interactive 
assumption. In the original GW scheme, the security proof involved manipulating the Z u for 
u ^ S. Since each of the Z u are independent in the GW scheme, this is achievable. For our 
scheme, however, the Z u are generated from 0(log N) parameters, meaning we cannot modify 
them independently. Instead, we opt to prove security in the generic multilinear map model, 
which we will show in Appendix B. We note, however, that we obtain a better generic security 
theorem than is possible for Constructions 3.1 and 4.1. 
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A Extensions and Variations 
A.l Parameter Trade-offs 

To handle iV identities, our multilinear map scheme requires a total multilinearity of roughly 
1.51og 2 N, and roughly log 2 N group elements in the public key. Contrast this to the BGW scheme, 
which only requires multilinearity 2, but needs roughly 2N public key elements. Since multilinearity 
is expensive, here we discuss a generalization of both the BGW scheme and Construction 4.1 which 
allows interpolating between the two. By instantiating the scheme with the right parameters, it 
may be possible to obtain better performance. 

Observe in our scheme that the main reason for the multilinearity is so that we can compute 
many different Z u , Z' u from relatively few Xj. For a set XV of users, the Z u , Z' u we need to compute 
are: 

• Z' u for u£lV 

• Zh_ u and Zh-j+u for j, u £ TD, j ^ u, for some "hole" h. 

We can generalize the requirements using the following definition: 

Definition A.l. Let ID be a finite set of positive integers. We say a set T of positive integers 
(h, n, £)-covers ID if: 

• h > max ue xx> u. 

• For every u G TD, u can be represented as a sum of at most £ (possibly repeating) integers in 
T. 
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• For every u, j £ IV, h — u and h — j + u can be represented as a sum of at most n — 1 (possibly 
repeating) integers in T. 

• h can be represented as a sum of at most n + £ — 1 (possibly repeating) integers in T . 

• h cannot be represented as a sum of fewer than n (possibly repeating) integers in T. 

Then the public key will consist of Xi = gf l for i G T (along with the value V). The requirements 
for T show that the necessary values of Z u , Z' u (as well as W) can be derived from the Xj, The security 
assumption the scheme will be based on the following problem. Let params <— Setup'(n + £ — 1), 
and choose random a, t G Z p . Let Xj = gf* for j £ T and V = g\. Given ({X}j e *r, F), the goal is 
to compute K = g t ^^_ l . We call this the (T, h, n, ^-(computational) generalized multilinear Diff- 
Hellman Exponent (gMDHE) assumption. The decisional variant is the problem of distinguishing 
K from a random element in G n+ £_i. The requirements for the hole h ensure that the (T,h,n,£)- 
gMDHE problem is not trivially solvable. 

Now we give some examples: 

• XV = [1,N], T = [1,N] \J[N + 2,2N], h = N + 1, n = 2, and £ = 1. Here we recover the 
original BGW construction. 

• lV = {ue [1, 2 n -2]:u has weight exactly £}, T = {2°, 2 1 , 2 2 , . . . , 2 n }, h = 2 n - 1. Here we 
recover the scheme in Construction 4.1. 

• IV = {u e [l,2 n -2] : u has weight at most £}, T = {2°, 2 1 , 2 2 , . . . , 2 n , 2 n + 1}, h = 2 n - 1. 
Here we get a variant of the scheme in Construction 4.1 where identities do not all need the 
same weight. This construction shaves of logarithmic additive factors in the total multilinearity 
n + 1 — 1, at the expense of a more complicated complexity assumption. 

. XV = [1,^1-1], T = {1,2,3,..., b -1,6,26,..., (b - 1)6, ^ . . . , ^ + 1, ^ + 

2, . . . , \Ey + b}, h = \Eti £ = n — 1. Here we get a variant of the scheme that uses a base 
other than 2. The result is a somewhat larger identity space (or reduced multilinearity) at the 
expense of a significantly larger public key. Note that when 6 = N,n = 2, we again get the 
BGW scheme. 

A.2 CCA Security 

Similar to the BGW construction, we can also obtain CCA security. The construction utilizes 
a one-time signature scheme (G, Sign, Ver). The main difference is that verification keys for the 
signature scheme cannot directly be hashed into the necessary group G n _i, as described by BGW. 
The reason is that, in current multilinear map constructions, users cannot sample elements from 
intermediate groups directly, but must instead combine elements of the public parameters together 
to arrive at group elements. Note that in the multilinear map construction of Garg, Gentry, and 
Halevi, users can sample the source group Gi directly. Therefore, we will hash verification keys into 
Gi, and then lift the element to G ra _i by pairing with g n -2- 

B Security Using Generic Multilinear Maps 

In this section, we discuss the security of our schemes in the generic multilinear map model. In 
particular, explain why our two assumptions, the n-HDHE and (n,£)-MDHE assumptions, are secure 



18 



in the generic model, provided p is sufficiently large. This shows Constructions 3.1 and 4.1 are 
statically secure in this model for sufficiently large p. We also directly show that Construction 5.1 is 
adaptively secure in this model for much smaller p. We note that adaptive proofs of security can 
also be obtained for Constructions 3.1 and 4.1, though for much larger p. 

Generic Multilinear Maps Generic multilinear maps are a generalization of the generic group 
model. Let n G Z* be the target integer vector. We represent the groups G v for v£Z' using a 
random injective function £ : Z p x Z^ — > {0, l} m mapping elements of the additive group Z p and 
vectors v into strings of length m. We are given oracles Mult and Pair to compute the induced 
multiplication and pairing operation. More precisely, any algorithm in the generic multilinear map 
model interacts with the multilinear map using the following queries: 

Encode(x, v) If v G Hi is a non-negative integer vector satisfying v < n, then the response is 
£(x,v). Otherwise return _L. Note that we can recover the generator g v for the group G v as 
Encode(l, v). 

Mult(£i,£ 2 ,fr) If £i = £0ci)Vi) and ^ 2 = £(^2,v 2 ) where vi = v 2 = v, then return £(xi + (-l) b x 2 , v). 
Otherwise, return _L. 

Pair(£i,£ 2 ) If £i = vi) and £ 2 = £(x 2 , v 2 ) where vi + v 2 = v < n, then return £(x\ ■ x 2 , v). 
Otherwise, return _L. 

Generic security of our assumptions. Using the techniques of Boneh, Boyen, and Goh [BBG05] , 
it is straightforward to prove hardness results for the re-HDHE and (n, ^)-MDHE assumptions in 
the generic multilinear map model. However, these assumptions involve high degree exponents (as 
high as a 2 ™), meaning the adversary can construct high degree polynomials (namely, degree n2 n ) in 
the secrets of the assumption. As a result, we can only bound the generic adversary's advantage to 
~ t 2 2 n /p, where t is the number of queries the adversary makes. This means we must set p to be 
somewhat large: if n = A, A-bit security would require p ~ 2 3A , rather than the usual p ~ 2 A . 

The generic security of our assumptions, together with Theorems 3.3 and 4.4 also shows the 
generic static security of Constructions 3.1 and 4.1. We note that it is also possible to show generic 
adaptive security for these schemes. However, these generic security results still require p > 2 3A . 
Next, we show that, for Construction 5.1, we can actually obtain adpative generic security for 
p Kt 2 A . 

Theorem B.l. For any generic adversary A whose total number of queries to Encode, Mult, Pair 

is polynomial, A has negligible advantage in breaking the adaptive security of Construction 5.1, 
provided 1/p is negligible. 

Proof. Let A be a generic adaptive attacker. A plays the following game: 

• The challenger choose random from Z p for i G [1, n] and b G {0, 1}, random a, t G Z p , and 
a random bit c G {0, 1}. The challenger sets k c = at and fci_ c to be a random element in Z p . 

• A receives {X itb = £(A,6, l)}ie[i, n ],66{0,l} J as wel1 as W = £(a, n+ 1). 
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• A can adaptively make secret key queries for identities u G {0, l} n . In response, A receives 

e[o,n+i] where 

Uq U ^ = £(r u , 1) for a randomly chosen r u € Z p 
^ (U) = £(r u • 1) for i = 1, . . . , n 

n 

f/S=^(« + r u -n/? W ,n) 

i=i 

We require that for a particular identity u, A can only make a single key query for u. 

• A can also adaptively make queries to Encode, Mult, Pair. 

• A makes a challenge query on a set S, subject to the restriction that u ^ S for any u queried 
in a secret key query. In response, A receives 

n 

Hdr = (^,l),^-En^' n )) 
veSi=i 

In addition, A receives Kq = ^(ko,n + 1) and K\ = n + 1). 

• A can continue making secret key queries for identities u S. 

• A produces a guess d for c. 

Now consider an algorithm B that plays the above game with A. Rather than choose values for 
Pifi, a, t, r u , ko, ki, algorithm B treats them as formal variables. B maintains a list 

1 = {(Pj'ij'tj)} 

where pj is a polynomial in the variables {f3i,b}ie[i, n ],be{o,i}i a i ^ ^o> k±, {r u }, the integer ij indexes 
the groups, and £j is a string in {0, l} m . The list is initialized with the tuples (A^, 1, £21+6-1) 
for randomly generated strings ^2^+6—1 S {0, l} m , as well as (a,n + 1, £271+1) for a random string 
£,2n+i G {0, l} m . Initially, L contains 2n + 1 entries. 

The game starts with giving A the tuple of strings {£j}jg[i,2n+i]- Now, „4 is allowed to make 
the following queries: 

Encode(x, i): If x £ Z p and 1 < i < n + 1, then B looks for a tuple (p, i,£) G L, where p is the 
constant polynomial equal to x. If such a tuple exists, then B responds with £. Otherwise, B 
generates a random string £ G {0, l} m , adds the tuple (p, (again, where p is a constant 
polynomial equal to x) to L,and responds with £. 

Mult(£fc,^, 6): £> looks for tuples (pk,ik,£,k), (Pe,H,^e) £ If one or both tuples do not exist, then 
B responds with !_. If both tuples are found, but ik / u, then B responds with _L. Otherwise, 
B lets i = ik = ie, computes the polynomial p = Pk + (—f) b Pe, and looks for a tuple (p, i, £) G L. 
If the tuple is found, then B responds with £. Otherwise, B generates a random string £, adds 
the tuple (p,i,^) to L, and resonds with £. 
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Pair(£fc,£^): B looks for tuples (pk,iki £fc)> (Pl> itfi &) £ H one or both tuples do not exist, then B 
responds with _L. If both tuples are found, but i = + ig > n+ 1, then i3 responds with _L. 
Otherwise, B computes the polynomial p = p k • pe, and looks for a tuple (p, i, £) G L. If the 
tuple is found, then B responds with £. Otherwise, £> generates a random string £, adds the 
tuple (p, i,£) to L, and responds with £. 

KeyGen(u): B creates a new formal variable r u . It adds the tuple (r u ,l,^) to L for a randomly 
generated £ G {0, l} m . It also adds tuples (r U j0i,l-«i! 1> £«) f° r * = 1, • • • , n., where the £j are 
generated at random in {0, l} m . Finally, it adds the tuple (a + r u • n£=i A,Uii n > £) f° r another 
randomly generated £ G {0, l} m . /3 responds with the list of £ values generated in this step. 

Enc(S'): B creates new formal variables t, ko, k\. It adds several tuples to L: 

n 

(t, l,£l) , (* • H II ' U ' ^ ' ( fc 0 , + 1 , 6) , (fcl , 71 + 1 , £4) 

v£5i=l 

Where the £j are randomly generated. B gives ^4. the strings £i,£2>£3>£4- 

B can increase m arbitrarily, thus making strings £ hard to guess. Therefore, we can assume 
without loss of generality that A only makes Mult and Pair queries on strings obtained from B. 

After a polynomial number of queries, A returns a guess d G {0, 1}. Now, B chooses a random 
c G {0, 1}. If also chooses random values for fy^, a,t G Z p , r u . It also chooses a random k G Z p . i3 
sets /c c = at and fci_ c = k. 

The simulation provided by B is perfect unless out choices for the variables /3$ &, a, £, fccb ^1 results 
in an equality between values for two values Pk,Pe that is not an equality for polynomials. More 
precisely the simulation is perfect unless for some k,£ the following hold: 

• i k = i e 

• Pk(f3i,b, ■■ ■) ~ Pt(Pi,b, ■ ■ ■ ) = 0, yet the polynomials p k ,p e are not equal. 

Let Fail be the event that these conditions hold for some k,£. We need to bound the probability 
that Fail occurs. First, prior to choosing values for all the variables, consider setting k^ = at as 
polynomials. We claim that this does not create any new polynomial equalities. 

Claim B.2. Substituting the formal variable fc& with the polynomial at does not create any new 
polynomial equalities. That is, ifpk 7^ Pt before the substitution, the same is true after the substitution 

Before proving Claim B.2, we use it to finish the proof of Theorem B.l. Notice that each of the 
polynomials has degree at most 2n + 2. For any pair k, £, the Swartz-Zippel lemma then shows that, 
for pk / pe, the probability (pk — Pe)(f3i,bi • • ■ ) = 0 is at most (2n + 2) /p. 

Let q e , q m , q p , q^ be the total number of encode, Mult, Pair, and KeyGen queries made by A. Then 
the total length of L is at most 

\L\ < q e + q m + q P + (n + 2)q k + (2n + 5) 

Therefore, the number of pairs is at most 




< (q e + q m + q P + {n + 2)q k + (2n + 5)) 2 /2 
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Therefore, Fail happens with probability at most 

(q e + q m + q P + (n + 2)q k + (2n + 5)) 2 (2n + 2)/2p 

If Fail does not occur, /3's simulation is perfect, and in this case c is independent from .A's 
view (in particular, c was chosen after the simulation). It is straightforward to show that the ^4's 
advantage in winning the broadcast encryption experiment is at most 

(q e + q m + q P + (n + 2)q k + (2n + 5)) 2 (n + l)/2p 

For polynomial q e ,q m ,q p ,qk,n, this is negligible provided 1/p is negligible, as desired. 

It remains to prove Claim B.2. Suppose there are two polynomials pk 7^ pi such that, when we 
replace the variable k c with at, pk = pe- This means Pk — Pe = 0. Moreover, pk — pt must have 
contained a k c term, and this term cannot have been multiplied by any other variables. Therefore, 
we can write pj~ — pe as 



Pk~Pe = C 0 k c + Cifci_ c (B.l) 

n 

+ C 2 a + t II PiM ' P°'yo(*> { r v} V <tS, { r vft,l-^}v^5,ie[l,n], {A,6}i6[l,n],6e{0,l}) ( B -2) 

ueSi=i 

n 

+ ^2(a + r u Y[ Pi, Ul )(C u t + poly u ({r v } v ^ s , {7vA,i-„ i } v gS ) ie[i,n] 1 {^i,6}ie[i,n],6e{0,i}) 

u^S 1 i=l 

(B.3) 

+ P ol yi(* 5 { r v} v ^5i { r v/3i,l-^} v ^5,ie[l,n] ; {Pi,b}ie[l,n],bE{0,l}) ( B - 4 ) 

Where poly 0 has degree 1, each of the poly u has degree 1, and polyx has degree n + 1, and 
Co, Ci, C2, C u are constants. If pt — pi is non-zero, but substituting k c as at makes the difference 
zero, we can conclude the following: 

• Co + 0, Ci = 0 

• Su^s Cu = —Co- In particular, there is a u ^ 5 with C u 7^ 0. 

Now pick some u ^ S with C u 7^ 0 and expand out all of the polynomials, looking for monomials 
M = tr u n?=i A ut- Clearly, Line B.l gives no such monomials. All monomials in Line B.2 involving 
t contain a product n£=i Pim f° r some v G S — in particular, v/u. Therefore, Line B.2 gives no 
such monomials either. Line B.3 gives exactly one, with a coefficient of C u . Now, suppose Line B.4 
(that is, poly 1 ) contained the monomial M. This means we can build M by taking the product of a 
subset of the terms t, {r v } v g S , W/3i,i-«Jv£S,ie[i,ri]> {A,6}ie[l,n],6e{0,l}- We can in f er tne following: 

• t must be included exactly once in the product 

• r vPi,i-Vi for any v ^ S,i £ {0,1} cannot be included in the product. Otherwise, if v = u, 
there will be some Pi t i— Ui with positive exponent, and if v 7^ u, then r v will have a positive 
exponent. 

• r u must therefore be included exactly once in the product. r v for v/u cannot be included. 
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• Pi u . must be included for each i. 

This means we must multiply n + 2 of the terms together, exceeding the maximum degree of 
po\y 1 . Therefore, We conclude that Line B.4 does not have any monomial M. This means that the 
total coefficient for M is C u ^ 0. This is true even after substituting kb with at, contradicting the 
assertion that Pk — Pi = 0. This completes the proof of Theorem B.l. □ 



23 



